[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] Re: Banned by Spamhaus and AWS



On 6/13/26 08:26, Ole Rydahl via tor-relays wrote:
> I have been running a non-exit Tor relay since Snowdon and a The Guardian
> journalist used Tor. 

Awesome. We're in the same club. Consistent trusted operators are a
vital component in the network. You matter.

> 
> I am doing it using my public ip on my home network. 1Tbyte/day roughly. 
> 

Nice bandwidth, but residential IP and public Tor node aren't a good mix...

>  
> 
> Starting a year ago I was excluded from the Danish "internal revenue
> services" - skat.dk. However, using the Tor-browser I could still perform my
> duties there... Now! From May this year, my ip over and over again got
> listed at Spamhaus. My gateway only allows my MTA to use the ports 25, 465
> and 587. Mysterious! Spamhaus' services are used a lot, so it seriously
> limits who we can send mails to!
> 
>  
> 
> Spamhaus claims the following:
> 
> Why was this IP listed?
> 
> a.b.c.d has been classified as part of a proxy network. There is a type of
> malware using this IP that installs a proxy that can be used for nearly
> anything, including sending spam or stealing customer data. This should be
> of more concern than a Spamhaus listing, which is a symptom and not the
> problem.
> 
> The proxy is installed on a device - usually an Android mobile, firestick,
> smart doorbell, etc, but also iPads, and Windows computers - that is using
> your IP to send spam DIRECTLY to the internet via port 25: This is very
> often the result of third party "free" apps like VPNs, channel unlockers,
> streaming, etc being installed on someone's personal device, usually a
> phone.
> 
>  
> 
> After a throughout search for "infections" - including finding out that some
> Tor-relays are using port 465 and 587 as or-port - I caved in and stopped my
> tor-relay. After a few days the miracle happened my ban at Spamhaus was
> lifted _and_ I was allowed access to skat.dk directly.
> 
>  
> 
> My conclusions based on my experiments so far are: Spamhaus falsely
> considers my Tor relay as malware and so does AWS. (Skat.dk are performing
> their services at AWS - judging from the ip's used.)
> 
>  
> 
> Hilfe!!!

In short, welcome to amateur hour in network security, which is now the
norm.

The new lazy is blocklists inclusive of all public Tor nodes, including
non-exits, because it provides of some delusion of increased security.
Then tons of networks are subscribing to these lists to make security
"easy." I'm actually shocked you ran a public relay for that long on a
residential IP and haven't had any issues before.

I would do this:

don't run a public Tor node (including a non-exit) on a residential
network. You will find that many of your providers, such as banks, will
subscribe to these primitive blocklists. Your experience is not unique.

Get a "clean" IP and run a vanilla bridge or a snowflake proxy, etc.

If possible, you might get an additional IP for egress network traffic,
if you really do want to continue running that public node.

If you have the energy, you might reach out to the dk IRS, etc and make
your case. The bigger battle is convincing the Spamhauses and AWSes of
the world.

Sorry for your hassles, but in times like these, persistence is
sometimes a requirement.

g


-- 
A3F5 9814 DDDC 2FAA E485 C354 7226 51EA 22B6 D315
_______________________________________________
tor-relays mailing list -- tor-relays@xxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to tor-relays-leave@xxxxxxxxxxxxxxxxxxxx